feat: implement cmpd's PolicyRules

[cjc7373]

Fixes #8310. Things done in this PR:

• implements cmpd's PolicyRules
• changes the semantics of serviceAccountName in cluster and component CR. KB now does not create rbac resources if user has specified a service account.
• serviceaccount is now within a component's level, with a name of kb-<clusterName>-<compName>.

TODO:

• update pg addon's cmpd policyRule since we removed kubeblocks-patroni-pod-role

[codecov]

Codecov Report

Attention: Patch coverage is 72.00000% with 28 lines in your changes missing coverage. Please review.

Project coverage is 62.06%. Comparing base (cdd2d01) to head (8c646de).
Report is 15 commits behind head on main.

Files with missing lines	Patch %	Lines
controllers/apps/transformer_component_rbac.go	75.64%	11 Missing and 8 partials ⚠️
pkg/controller/factory/builder.go	27.27%	8 Missing ⚠️
pkg/controller/component/synthesize_component.go	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8328      +/-   ##
==========================================
+ Coverage   61.29%   62.06%   +0.76%     
==========================================
  Files         350      351       +1     
  Lines       41172    41751     +579     
==========================================
+ Hits        25236    25911     +675     
+ Misses      13637    13533     -104     
- Partials     2299     2307       +8     

Flag	Coverage Δ
unittests	62.06% <72.00%> (+0.76%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cjc7373]

This role is also not needed since relavant code removed in #8203

[Y-Rookie]

remove shouldSkipObjOwnedByComp and use isOwnedByComp directly

[Y-Rookie]

if SA is not exist, raise an error?